WebCTRL building automation systems are at risk of unauthorized control and manipulation because the BACnet protocol lacks essential network-layer authentication.

WebCTRL systems inherit a significant security weakness from the BACnet protocol, which does not require authentication at the network layer. An unauthenticated attacker with network access to the BACnet broadcast domain can send spoofed or unauthorized commands to building controllers.

Exploitation of this vulnerability could allow an attacker to take control of critical building systems, including HVAC, lighting, and physical access controls. This poses a direct threat to physical security, operational continuity, and occupant safety. The CVSS score of 7.5 reflects the high impact on availability and integrity within industrial and building control environments.

Immediate Action: Isolate BACnet traffic to a dedicated, secure VLAN and apply all available vendor security patches for WebCTRL and associated hardware.

Proactive Monitoring: Use Industrial Control System (ICS) monitoring tools to detect unauthorized BACnet read/write requests or anomalous traffic patterns on the building automation network.

Compensating Controls: Implement BACnet/SC (Secure Connect) where supported or utilize hardware-based VPNs and firewalls to encapsulate and authenticate BACnet traffic between segments.

Public Exploit Available: false

The risk to building operations is severe; therefore, organizations must move beyond relying on the inherent insecurity of the BACnet protocol. Immediate network segmentation is required to prevent unauthenticated access. We strongly recommend transitioning to BACnet/SC or implementing robust compensating network security measures to ensure that only authorized administrative workstations can communicate with WebCTRL controllers.